keyVaultClient |
MongoDB\Driver\Manager |
The Manager used to route data key queries. This option is required (unlike with MongoDB\Driver\Manager::createClientEncryption). |
keyVaultNamespace |
string |
A fully qualified namespace (e.g. "databaseName.collectionName" ) denoting the collection that contains all data keys used for encryption and decryption. |
kmsProviders |
array |
A document containing the configuration for one or more KMS providers, which are used to encrypt data keys. Supported providers include "aws" , "azure" , "gcp" , "kmip" , and "local" and at least one must be specified.
If an empty document is specified for "aws" ,
"azure" , or "gcp" , the driver
will attempt to configure the provider using
» Automatic Credentials.
The format for "aws" is as follows:
aws: {
accessKeyId: <string>,
secretAccessKey: <string>,
sessionToken: <optional string>
}
The format for "azure" is as follows:
azure: {
tenantId: <string>,
clientId: <string>,
clientSecret: <string>,
identityPlatformEndpoint: <optional string> // Defaults to "login.microsoftonline.com"
}
The format for "gcp" is as follows:
gcp: {
email: <string>,
privateKey: <base64 string>|<MongoDB\BSON\Binary>,
endpoint: <optional string> // Defaults to "oauth2.googleapis.com"
}
The format for "kmip" is as follows:
kmip: {
endpoint: <string>
}
The format for "local" is as follows:
local: {
// 96-byte master key used to encrypt/decrypt data keys
key: <base64 string>|<MongoDB\BSON\Binary>
}
|
tlsOptions |
array |
A document containing the TLS configuration for one or more KMS providers. Supported providers include "aws" , "azure" , "gcp" , and "kmip" . All providers support the following options:
<provider>: {
tlsCaFile: <optional string>,
tlsCertificateKeyFile: <optional string>,
tlsCertificateKeyFilePassword: <optional string>,
tlsDisableOCSPEndpointCheck: <optional bool>
}
|